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(57) Abstract 

In a franking system a postal security device (PSD) tracks a postage fund for dispensing postal indicia ami enforce the configuration 
of the franking system. An authori2ation code, which is particular to the system, is used to verify the system configuration. An unauthonzca 
change in the system configuration causes invalidation of the code and generation of the postal indicia is denied. Date center (125) recoms 
configuration infoimation of each franking system (100). The data center generates a valid authorization code for verification m ttie frankmg 
system based on new configuration information. Components added to the system must be preapproved to prevent scnerat on 

of postage indicia. A registration number is assigned to each preapproved component wrhich is necessary for mteraction vi^ith the frankmg 
system. 
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nffpr-T-ipt-ion 

TECHNIQUE FOR SECURING A SYSTEM 
PONFTniTRATTnN OF A PORTAGE FRANKING SYSTEM 



TP>phnical Field 

The invention relates to a secure system 
configuration technique, and more particularly to a 
technique for protecting the integrity of components in a 
postage franking system. 

panTcarou rtd of the Invention 

It is commonplace to use postage meters or 
franking systems for generating postage indicia on 
mailpieces. The format of the postage indicia is 
specified by a postal authority to facilitate its 
inspection. In the United States, much attention has 
been focused on an Information-Based Indicia Program 
(IBIP) by the United States Postal Service (USPS) , 
proposing, among other things, new requirements for the 
format of a postage indicium. Such new requirements were 
promulgated, e.g., in the "Information Based Indicia 
Program (IBIP) Open System Indicium Specification," dated 
August 19, 1998. For instance, the IBIP requires 
inclusion of a 2 -dimensional (2-D) barcode in the postage 
indicium. Such a barcode represents postal information 
including postage, and a digital signature for 
authenticating the postal information, in accordance with 
a piiblic key algorithm. One such public key algorithm 
may be the Digital Signature Algorithm (DSA) described. 
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e.g., in ^Digital Signature Standard (DSS)," FTPS PUR 
ia£. May 19, 1994. 

In addition, under the IBIP, the requirements 
of a postal security device (PSD) supporting the creation 
of the postage indicium are specified, e.g., in the 
"Information Based Indicia Program (IBIP) Open System 
Postal Security Device (PSD) Specification, " dated August 
19, 1998. In accordance with the IBIP requirements, the 
PSD provides the aforementioned digital signature in the 
postage indicium, and dispenses and accounts for a postal 
fund stored therein in a secure manner. 

With the advent of sophisticated and widely 
available general purpose computers, e.g., personal 
computers (PCs) , it has become possible to use one such 
computer, by installing an appropriate postage generation 
program therein, to print postage indicia on a printer. 
Thus, a franking system may comprise a PC, and a PSD and 
printer serving as peripherals thereto, in accordance 
with an "open system" configuration. An advantage of 
adopting the open system configuration is that other 
mailing application software may also be installed by the 
user in the same PC to effectively generate mailpieces 
along with the postage indicia. For example, such 
mailing application software may include a billing 
program for charging postage back to different accounts, 
an envelope program for printing an address and a postage 
indicium on an envelope, an address cleansing program for 
correcting mailing addresses, etc. 

However, the user of a franking system based on 
the open system configuration has full access to the 
hardware and software components in the system. As a 
result, these components including the aforementioned 
postage generation program are subject to tampering, and 
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fraudulent manipulation to generate unauthorized postage 
indicia. 

Summary Of the Invention 

In accordance with the invention, an 
authorization code is used to secure the configuration of 
a franking system. The authorization code is derived in 
part from system configuration information concerning, 
e.g., the enabled and disabled feature options, current 
version number of software, and the identity of a 
computer in the franking system (e.g., the serial number 
of the computer) . Any unauthorized change in the system 
configuration results in an invalidation of the 
authorization code in the franking system, and denial of 
the franking operation. Thus, any system 

reconfiguration, e.g., a change in the feature options or 
software upgrade, must be effected using a new valid 
authorization code. Preferably, the authorization code 
verification is performed each time before the franking 
operation starts to forestall any fraudulent generation 
of postage indicia. 

In accordance with an aspect of the invention, 
software code, e.g., the object code of a postage 
generation program, in the franking system is subject to 
error checking thereof. Thus, the above authorization 
code is also derived from error checking information, 
e.g., cyclic redundancy check (CRC) bits or checksum of 
the software code. Any tampering of the software also 
results in an invalidation of the authorization code. 

In addition, to minimize the risk of fraudulent 
generation of postage indicia, franking- related software 
and hardware components by, e.g., third party vendors. 
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need to g6 through a pre-approval process before triey are 
installed in the franking system to participate in the 
franking operation. For instance, in the pre-approval 
process, the components need to pass standardized tests 
to meet certain minimum requirements in, e.g., tamper 
resistance. in accordance with yet another aspect of the 
invention, a pre-approved software component is afforded 
a registration identifier which is necessary for the 
software component to participate in the franking 
operation. For example, the registration identifier 
needs to be produced for verification each time when the 
software component interacts with the aforementioned 
postage generation program. Similarly, a pre-approved 
hardware component is afforded a registration identifier 
which is necessary for its utility software to 
participate in the franking operation. 

It is an object of the invention to control the 
configurations of the franking systems in the field. To 
that end, a data center keeps records of the latest 
configurations of the franking systems served by the data 
center, including the identities of the franking -related 
components in the respective systems. Such records can 
be used to control the configuration of each franking 
system. For example, with such records, the data center 
can generate the aforementioned authorization code for 
verification in each franking system to enforce its 
configuration. 

It is another object of the invention to 
effectively conduct online transactions using postage 
funds. TO that end, the aforementioned data center also 
keeps a customer account for replenishing a postage fund 
in each franking system. For example, software or a 
feature option for the franking system may be purchased 
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through a ' communication connection with the data center. 
Such an online transaction involves the data center's 
downloading the software to, or enabling the feature 
option of, the franking system through the communication 
connection, with the price of the software or feature 
option debited from its customer account in the data 
center . 



Br-ief Deacriptj on of the Prawin-Q 

Further objects, features and advantages of the 

invention will become apparent from the following 

detailed description taken in conjunction with the 

accompanying figures showing illustrative embodiments of 

the invention, in which: 

Fig. 1 illustrates a franking system which is 

capable of communicating with a remote data center in 

accordance with the invention; 

Fig. 2 illustrates the format of each record in 

a database in the remote data centers- 
Fig. 3 is a block diagram of a postal security 

device used in the franking system; 

Fig, 4 is a flow chart depicting the steps of a 

postage generation program used in the franking system; 

Fig. 5 illustrates a postage indicium generated 

by the postage generation program; 

Fig, 6 illustrates an authorization code which 

needs to be verified in reconfiguring the franking 
system; 

Fig. 7 is a flow chart depicting the steps 
taken by the franking system to verify the authorization 
code; 
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Figs. 8A and 8B jointly illustrate a process 
whereby the franking system can be remotely reconfigured 
through a communications connection; 

Fig. 9 shows a variation of the design of the 
authorization code; 

Fig. 10 illustrates a memory map of storage of 
feature option values; 

Fig. 11 illustrates a process for generating 
the authorization code of Fig. 9 in changing a feature 
option in the franking system; 

Fig. 12 illustrates a process for changing the 
feature option in the franking system using the 
authorization code of Fig. 9; 

Fig. 13 illustrates a second process for 
changing the feature option in the franking system using 
the authorization code of Fig. 9; 

Fig. 14 illustrates a memory map of storage of 
software version numbers; 

Fig. 15 illustrates a process for updating a 
software version number in the franking system; and 

Figs. 16A, 16B and 16C jointly illustrate a 
process for printing addresses and a postage indicium on 
an envelope using pre-approved components in the franking 
system. 

Detail ed Description 

Fig. 1 illustrates franking system 100 
embodying the principles of the invention for realizing 
mailing applications and generating postage indicia on 
mailpieces. In this particular illustrative embodiment, 
system 100 is configured as an open system, where 
computer 105 may be a conventional personal computer (PC) 
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serving as a host device, and where PSD 110, printer 115 
and modem 120 are peripherals to computer 105. 
Alternatively, computer 105 may be a workstation or any 
other general purpose computing machine. Computer 105 
5 may cause modem 12 0 to establish a communication 

connection through a communications network to, say, 
remote data center 125. Although modem 120 in this 
instance is shown as an external modem, it will be 
appreciated that any internal modem within computer 105 

10 may be used, instead. 

Data center 125 includes processor 130 which, 
among other things, maintains database 14 0 and 
registration identifiers 145 stored in memory 135 to 
serve different franking systems, e.g., franking system 

15 100, communicates therewith to replenish their postage 

funds, and provides authorization codes to control their 
configurations in accordance with the invention. 

Database 14 0 contains records concerning the 
respective franking systems served by data center 125. 

2 0 Fig. 2 illustrates the foirmat of each record in database 
140. In this instance, each franking system is 
identified by a PSD serial number in field 161 pre- 
assigned to its PSD. Field 163 contains account 
information such as a prefunded or credit escrow account 

25 balance for the franking system for conducting a 

telemeter setting (TMS) transaction described below. 
Field 165 includes configuration information (described 
below) concerning the configuration of the franking 
system to protect its integrity in accordance with the 

30 invention. 

Fig. 3 illustrates PSD 110 which in this 
instance is realized as an integrated circuit (IC) module 
peripheral to computer 105. PSD 110 comprises secure 
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memory 200, processing unit 210 including one or more 
processors, and communications interface 220 (realizable 
as PCMCIA, serial or parallel interface) for interfacing 
with and insertion into a corresponding mating port (not 
shown) in computer 105. 

Secure memory 200 is a nonvolatile memory which 
includes, among others, ascending register 230 and 
descending register 235. Ascending register 230 is used 
to keep track of an amount of postage dispensed. On the 
other hand, descending register 235 is used to keep track 
of the postage fund amount available for postage 
dispensation. When the value of descending register 235 
decreases over time below a predetermined limit, computer 
105 can no longer dispense postage until descending 
register 235 is reset. Such a reset may be achieved by 
way of electronic funds transfer, in accordance with a 
well-known TMS technique, via a communication connection 
(e.g., a dial-up connection or an Internet connection) to 
data center 125 through modem 120. 

Using the TMS technique in this instance, the 
user need not carry PSD lio to a postal authority for 
authorized resetting of descending register 235. To 
initiate a TMS process on computer 105, the user needs to 
meet certain access requirements. For example, the user 
may be required to enter a password, key, or biometric 
input (e.g., fingerprint) on computer 105 using an 
appropriate input device attached to computer 105. 
Verification of such an access entry ensures that the 
user is authorized to conduct such a process. After the 
access entry is verified, computer 105 initiates a call 
through modem 120 (alternatively via the Internet) to 
data center 125, requesting additional postage funds, 
upon receipt of the call, processor 130 verifies in a 
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well known manner the current ascending and descending 
register values and other PSD data in secure memory 200 
of PSD 110, and ascertains the availability of funds in 
the prefunded or credit escrow account of system 100. 
After the PSD data is validated and the account balance 
is found to be sufficient, processor 130 debits the 
account and remotely resets descending register 235 in 
PSD 110 accordingly. 

System 100 in this instance may be used to 
generate postage indicia in accordance with the United 
States Postal Service (USPS) Information Based Indicia 
Program (IBIP) specification, namely, the "Information 
Based Indicia Program (IBIP) Open System Indicium 
Specification," dated August 19, 1998, To that end, 
secure memory 2 00 also includes a well-known digital 
signature algorithm (DSA) described, e.g., in "Digital 
Signature Standard (DSS)," FIPS PUP ^8g, May 19, 1994; 
and a private key and the corresponding public key in 
accordance with the DSA. The public key may be made 
available to the public in a PSD certificate in the 
postage indicia. For instance, using the DSA, unit 210 
may sign specified postal data with an associated private 
key to generate a different digital signature to be 
included in each postage indicium. The postal authority 
then scans the postage indicium and verifies the digital 
signature to authenticate the postage indicium, in 
accordance with the DSA. It should be noted that instead 
of the DSA of the DSS, another well-known data 
authentication algorithm such as the RSA or Elliptic 
Curve algorithm may be used. 

For postage franking operation, computer 105 is 
loaded with software components including postage 
generation program 3 00 for generating postage indicia. 
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Fig. 4 illustrates program 300 stored in a memory (not 
Shown) in computer 105. Instructed by program 300, 
computer 105 prompts the user to enter mailing 
information concerning the destination zip code, weight 
mail class (or rate category), any special services, 
etc., of a mailpiece to be mailed, as indicated at step 
305. Assuming in this instance that a rate module is 
pre-installed in computer 105 which provides postage rate 
information, computer 105 at step 310 calculates the 
required postage based on the user entries and postage 
rate information. Otherwise, the user would be prompted 
to enter the required postage value for mailing the 
mailpiece. At step 313, computer 105 sends the data 
concerning the mail class and postage value to PSD 110 
instructed by a subroutine of program 300, unit 210 in 
PSD 110 deducts the required postage value from the 
available postal fund in descending register 235, and 
accordingly adds same to the dispensed fund in ascending 
register 230 to account for the transaction, as indicated 
at step 315. At step 317, unit 210 in accordance with 
the DSA of the DSS signs postal data concerning the mail 
class, postage value, ascending and descending register 
values, and date of mailing, together with other data 
pre-stored in memory 200 such as the software ID 
identifying program 300, device ID identifying PSD lio 
and licensing zip code, resulting in a digital signature 
for authenticating the postage indicium to be generated. 
At step 320, computer 105 receives from PSD lio the 
digital signature, ascending and descending register 
30 values, etc. At step 325, computer 105 prepares a print 
image of a postage indicium representing the required 
postal data and digital signature. Alternatively, unit 
210 xtself may create the print image of the postage 
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indicium and pass it onto computer 105. Upon receiving a 
print command, computer 105 transmits the print image to 
printer 115, which then prints the postage indicium on a 
label or an envelope fed to printer 115 . 

Fig. 5 illustrates one such postage indicium 
500 which serves as proof of postage payment. Indicium 
500 includes human readable portion 555 and machine 
readable portion 560. Portion 555 may include, e.g., the 
date of mailing, postage, device ID, originating town and 
zip code, mail class, etc. Machine readable portion 560, 
which is readable using an optical scanner, may include a 
2 -dimensional barcode representing data concerning the 
device ID, ascending and descending register values, 
postage value, digital signature, date of mailing, 
licensing zip code, software ID, PSD certificate, mail 
class, etc* Alternatively, machine readable portion 560 
may comprise one or more data matrix symbols representing 
similar data, as described in PCX International 
Publication No. WO 99/16023, published on April 1, 1999. 

Because of the open system configuration of 
franking system 100, the user has full access to hardware 
and software components in system 100. As a result, 
these components, e.g., postage generation program 300 
described above, are subject to tampering and 
unauthorized use. In accordance with the invention, 
verification of an authorization code is required from 
time to time to prevent tampering and unauthorized use of 
the components of system 100, 

Fig. 6 illustrates one such authorization code 
600 used to prevent any tampering and unauthorized use of 
postage generation program 3 00 described above, and 
feature options available in system 100 which may 
include, e.g., a label printing option and other printer 



996642aA1 I > 



wo 99/66422 



PCT/US99/13488 



■12- 



optxons, ^ barcode scanner option, etc. System loo is 
pre-loaded with software components necessary for 
providing these options. A valid authorization code 
which is unique to system 100, needs to be entered onto 
5 system 100 in order to install or upgrade the code of 
program 300, and/or enable new feature options selected 
by the user, m response to a user request for a system 
reconfiguration involving the program code and/or feature 
options, authorization code 600 is generated by processor 
130 in data center 125 and then provided either to the 
user via facsimile, email, telephone, etc., for the user 
to enter onto system 100 using, e.g., a keyboard attached 
to computer 105, or to system 100 directly via the 
aforementioned communication connection between data 
15 center 125 and system lOO. As shown in Fig. 6, 

authorization code 600 consists of m-bit electronic 
signature 605 and n-bit encrypted option segment 610, 
where m and n are predetermined integers. To generate 
electronic signature 605, for example, a combination of 
20 (a) the identity of computer 105, which in this instance 
xs the serial number of computer 105, (b) the hardware 
configuration identifier of computer 105, e.g., 
indicative of the type of processor and RAM capacity in 
computer 105, (c) the serial number of PSD lio, (d) the 
5 software version number of program 300, (e) error 
checking information, e.g., in this instance cyclic 
redundancy check (CRC) bits, resulting from performing a 
CRC on the code of program 300, and (f ) an option number 
Whose bit pattern corresponds to a particular combination 
of the enabled and disabled feature options for the 
postage franking operation. item (c) is provided in 
fxeld 161, and items (a), (b) , and (d) through (f, are 
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provided in field 165 of the record pertaining to system 
100 in database 14 0. 

It should be noted at this point that item (e) 
in this instance is obtained by running a well knovm CRC 
algorithm, e.g., Reed Solomon CRC algorithm, on the 
object code of program 3 00 which is authorized in system 
100, Alternatively, a checksum derived in a conventional 
manner from the object code may be used. 

The derivation by processor 130 of electronic 
signature 605 involves encrypting the combination of 
items (a) through (f) in accordance with a first well 
known encryption algorithm. Signature 605 is then 
derived from the encrypted version of the combination of 
the items, e.g., by extracting therefrom a predetermined 
sequence of m bits. Alternatively, signature 605 may be 
generated using a well known symmetric or asymmetric key 
cryptographic methodology. 

On the other hand, encrypted option segment 610 
is generated by encrypting only the option number (f ) in 
accordance with a second well known encryption algorithm. 
Alternatively, segment 610 may be unencrypted, i.e., 
containing the plain text of option number (f ) . 

It suffices to know for now that after system 
100 enters a reconfiguration mode where authorization 
code 600 is entered, code 600 is stored in authorization 
code buffer 241. Encrypted option segment 610 of code 
600 is subsequently decrypted to recover the underlying 
option number. Using the recovered option number (f) and 
additional items in system 100 which are identical to 
aforementioned items (a) through (e) , and the same first 
encryption algorithm in the above -described manner, 
system 100 is capable of independently generating an 
electronic signature identical to electronic signature 



wo 99/66422 



PCTAJS99/13488 



-14- 



605 Of code 600. in any event, the generated signature 
xs compared with electronic signature 605 in buffer 241 
If the two signatures match, the authorization code is 

declared valid. Otherwi«3A •!<= i-u 

wtnerwise, if they do not match, the 

5 franking operation by system lOO is suspended. 

It should be noted at this point that the 
authorization code verification requirement is desirable 
xn that it helps deter unauthorized copying of software 
xn system 100, e.g., program 300, onto other similar 
10 systems. This stems from the fact that even though the 
software can be copied onto the similar systems, the 
latter would not be able to perform the franking 
operation without proper authorization codes, which need 
to be derived in part from their respective unique 
15 computer and PSD serial numbers. m addition, because 
authorization code 600 is partly derived from 
aforementioned item (e) , tampering of the software is 
prevented as any such tampering results in a deviation 
from the valid CRC bit values, causing invalidation of 
20 the authorization code. Moreover, since system 100 would 
only be able to perform franking operation with a proper 
authorization code, which specifies a valid combination 
Of software and hardware components, and feature options 
xn system 100, the authorization code verification 
25 requirement thus enables data center 125 to control the 
configuration of each franking system served thereby. 

As mentioned before, each bit of the option 
number (f) corresponds to a feature option of franking 
system lOO. Each option, which is initially disabled 
0 may be selectively enabled by setting the appropriate' 
bxts of the option number (f, to the opposite value 
Thus, for example, if a user wants to enable a previously 
dxsabled label printing option, a proper authorization 
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code needs to be entered on system 100 while in a 
reconfiguration mode, causing the bit in the option 
number (f) corresponding to the label printing option to 
change to the opposite value to enable the option. 
5 System 100 effects the feature options according to the 
bit pattern of the option number stored in option number 
buffer 243 in memory 200. In this particular 
illustrative embodiment, the recovered option number from 
decrypting segment 610 of authorization code 600 

10 overwrites the current option number in buffer 243 
irrespective of the outcome of the validation of 
authorization number 600. That is, system 100 
immediately effects the feature options according to the 
recovered option number as soon as it is placed in buffer 

15 243, irrespective of the outcome of the validation. 

After the feature options are effected in the 
prescribed manner in the reconfiguration mode, system 100 
returns to a normal operation mode. When postage 
generation program 3 00 is invoked to perform the franking 

20 operation in the normal operation mode, unit 210 reads 
from memory 2 00 (i) the serial number of computer 105, 
(ii) the hardware configuration identifier of computer 
105, (iii) the serial number of PSD 110, and (iv) the 
software version number of program 300, which are 

25 collected by unit 210 and stored in memory 200. Unit 210 
also obtains (v) CRC bits based on running the 
aforementioned CRC algorithm on the latest code of 
program 300 in system 100, and (vi) the option number 
from buffer 243. Unit 210 independently generates an 

30 electronic signature using items (i) through (vi) and the 
aforementioned first encryption algorithm in a similar 
manner to processor 13 0 generating electronic signature 
605 in data center 125. The electronic signature, thus 
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generated- is compared with the electronic signature 
stored in buffer 241, i.e., the first m bits of 
authorization code 600 therein, if there is no mismatch, 
generation of postage indicia using program 300 is 
allowed. Otherwise if there is any mismatch, a message 
such as "invalid Authorization Code" is displayed on 
computer 105, and generation of postage indicia is 
halted. 

Where authorization code 600 is entered by user 
onto system 100, in view of the possibility that the user 
makes an erroneous authorization code entry, the user is 
afforded a limited number of times to re-enter the 
correct authorization code after the message is 
displayed. After the limited number of times is 
exhausted, proper resetting of system 100 by authorized 
personnel is needed to re-enable the system to perform 
the franking operation. 

For installing or upgrading a software 
component, e.g., the code of postage generation program 
300, the user may be provided with a compact disk (CD) 
or another conventional storage medium, e.g., a floppy' 
disk, ic module, digital video disk (DVD), etc., 
containing the necessary software, and authorization code 
600 on the storage medium package which is generated in 
data center 125 for verification after the software 
installation or upgrade. The new software version number 
of program 300 may be embedded in the header of the 
program. When the software installation or upgrade is 
performed, the new software version number is read by 
computer 105 and transferred to memory 200 where the new 
software version number replaces the current software 
version number (iv) . 
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• After the software installation or upgrade in 
the reconfiguration mode, system 100 returns to the 
normal operation mode. When postage generation program 
300 is invoked to perform the franking operation in the 
normal operation mode, the user is prompted for 
authorization code 600 on the storage medium package, 
Authorization code 600 is then verified according to the 
steps similar to those in the above -described 
verification after effecting new feature options. 
Specifically, unit 210 stores in buffer 241 authorization 
code 600 entered by the user, as indicated at step 701 in 
Fig. 7. At step 702, unit 210 causes the decryption of 
encrypted option segment 610 of authorization code 600 in 
buffer 241, thereby recovering the underlying option 
number (vi) . Such decryption is accomplished using a 
decryption algorithm inverse to the second encryption 
algorithm. At step 703 , processor 201 stores the 
recovered option number in buffer 243, although in this 
instance the recovered option number is identical to 
current option number in buffer 243. At step 704, unit 
210 runs the CRC algorithm on the latest code of postage 
generation program 300, thereby obtaining item (v) . At 
step 705, unit 210 reads the above items (i) through (iv) 
from memory 200, where item (iv) has the latest software 
version number of program 3 00. At step 706, unit 210 
independently generates an electronic signature using 
items (i) through (vi) , and the first encryption 
algorithm in a similar manner to processor 130 generating 
electronic signature 605 in data center 125. Unit 210 at 
step 707 compares the generated electronic signature with 
electronic signature 605 of authorization code 600 in 
buffer 241. The authorization code is validated if unit 
210 finds that the two electronic signatures match. 
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Otherwise, a message such as "Invalid Authorization Code" 
xs displayed on computer 105, and generation of postage 
indicia is halted. 

It should be noted that the above authorization 
code verification is performed not only after system lOO 
xs reconfigured, but preferably each time, or from time 
to time, when postage generation program 300 is invoked 
xn the normal operation mode. Thus, preferably each 
txme, or from time to time, before the franking operation 
xs xnitxated, processor 201 performs above steps 702 
through 707 for fear that the components of franking 
system 100 are tampered in the meantime. 

It should also be noted that the above 
authorization code verification may also.be performed via 
dxrect communications between data center 125 and 
franking system 100, thereby obviating the need of having 
the user enter the authorization code. Figs. 8A and SB 
jointly illustrate remote reconfiguration process 800 
whereby a user can purchase a new feature option or 
software online, and whereby authorization code 600 is 
verified via direct communications between data center 
125 and system 100. Process 800 may be invoked by the 
user's entering a specified command on computer 105 
Similar to the above -described TMS process for requesting 
additional postage, process 800 starts with prompting the 
user for an access entry (e.g., a password, key or 
biometric input) on computer 105, as indicated at step 
806 in Pig. 8A. Verification of such an access entry 
ensures that the user is authorized to conduct the remote 
reconfiguration process. After the access entry is 
verified at step 809, computer 105 at step 812 
establishes a communication connection with data center 
125 via modem 120. Through the established connection 
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processor 13 0 in data center 125 performs initial 
handshaking with franking system 100 according to a pre- 
agreed upon communication protocol, thereby identifying 
at step 815 franking system 100, e.g., by its PSD serial 
5 number. Based on the PSD serial number, processor 130 at 
step 818 locates in database 140 the record pertaining to 
franking system 100. 

At step 821, processor 130 reviews fields 163 
and 165 of the located record for the current escrow 

10 account balance and configuration information of system 

100, respectively. Based on the current configuration of 
system 100, processor 130 at step 824 causes computer 105 
to display a menu thereon containing selections of any 
new software available for downloading, and currently 

15 disabled options for activation. The menu also indicates 
the current escrow account or credit balance, the prices 
for downloading any new software having a new version 
number, and for activating one or more of the disabled 
options. Assuming that in this example the user wants to 

20 activate a previously disabled option, say, option A in 
the menu, the user may use a mouse device (not shown) 
attached to computer 105 to select option A. 

At step 827, computer 105 communicates the 
user's selection of option A to processor 130. Upon 

25 receiving the option selection, processor 130 at step 830 
debits the price of option A from the current escrow 
account balance, resulting in a new balance in field 163. 
Accordingly, processor 130 at step 833 changes the value 
of the bit in the option number (f) in field 165 

30 corresponding to option A, reflecting an activation of 
option A. At step 836, processor 130 generates 
authorization code 600 consisting of electronic signature 
605 and encrypted option segment 610. As mentioned 
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before, electronic signature 605 is derived from an ' 
encrypted version of items (a) through (f) in field 165 
of the record pertaining to system 100. Encrypted option 
segment 610 is obtained by encrypting the option number 
(f) alone. Authorization code 600 is then transmitted 
from data center 125 to system lOO through the 
established communication connection, as indicated at 
step 839, The communication connection is thereafter 
terminated. 

The remaining steps in process 800 are similar 
to those in routine 700 described before. Specifically, 
similar to step 701, step 841 in Fig. 8B involves storing 
received authorization code in buffer 241. Similar to 
step 702, step 843 involves decryption of encrypted 
15 option segment 610 of authorization code 600 to recover 

the underlying option number (vi) , which in this instance 
indicates the activation status of option A. Similar to 
step 703, step 845 involves storing the recovered option 
number in buffer 243, thereby activating option A. 
20 Similar to step 704, step 847 involves running the CRC 
algorithm on the latest code of postage generation 
program 300, thereby obtaining item (v) . similar to step 
705, step 849 involves reading items (i) through (iv) 
from memory 200. Similar to step 706, step 851 involves 
25 independently generating an electronic signature using 
items (i) through (vi) , and the first encryption 
algorithm. Similar to step 707, step 853 involves 
comparing the generated electronic signature with 
electronic signature 605 of authorization code 600 in 
30 buffer 241. Again, the authorization code is validated 
if unit 210 finds that the two electronic signatures 
match. Otherwise, an "Invalid Authorization Code" 
message would be displayed on computer 105, and 
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generation of postage indicia would be halted as 
described before , 

Based on the disclosure heretofore, it is 
apparent to a person skilled in the art that where the 
5 user chooses to purchase new software online, instead, 

the steps in process 800 similarly follow, except that in 
that case, at step 839 the new software, including the 
new software version number therein, would be downloaded 
from data center 125 to system 100, along with the 

10 transmission of authorization code 600 thereto. 

Variations of the design of the authorization 
code which call for different verification techniques 
will now be described. In accordance with a first design 
variation, the authorization code is generated by 

15 encrypting items (a) through (f) using a standard 

encryption algorithm in data center 125. After such an 
authorization code is provided to system 100, the latter 
decrypts the received authorization code using a 
decryption algorithm inverse to the standard encryption 

20 algorithm, thereby recovering the underlying items (a) 
through (f ) . Items (i) through (v) are then obtain in 
system 100 in the manner described before, and compares 
them with the corresponding, recovered items (a) through 
(e) . The authorization code is validated if the two sets 

25 of items match. 

If the authorization code of the first design 
variation is not validated because of certain mismatched 
items, it may be desirable to show on computer 125 such 
mismatched items for diagnostic purposes. For example, 

30 if it is shown that item (d) does not match item (iv) , a 
wrong software version of program 300 may have been 
installed in system 100. It may be a manufacturing 
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def ect if the authorization code invalidation occurs 
during the very first time of the franking operation. 

Fig. 9 illustrates a second variation of the 
authorization code design. In accordance with this 
5 variation, authorization code 900 includes m-bit 

electronic signature 905 which is generated in the same 
manner as electronic signature 605. Authorization code 
900 also includes encrypted reconfiguration segment 910 
having a variable length. The formation of segment 910 
10 is fully described below. it suffices to know for now 
that the length of segment 910 depends on the actual 
reconfiguration which needs to be realized. 

In a first example where authorization code 900 
may be used, a user requests an activation of a currently 
disabled feature option, say, option C. m accordance 
with an aspect of the invention, for each feature option, 
a pair of memory locations are allocated in memory 200 of 
PSD 110 to pre-store «l" and »0" bit values representing, 
e.g., an "enabled" status and a Misabled" status of the 
20 option, respectively. The resulting memory map is 

illustrated in Fig. lo. As shown in Fig. lo, a first 
pair of memory addresses 1A2B (hexadecimal) and 1A2C in 
memory 200 correspond to feature option A, where «0" is 
pre- stored at memory address 1A2B and «l" is pre-stored 
at memory address 1A2C; a second pair of memory addresses 
1A2D and 1A2E in memory 200 correspond to feature option 
B, where «0" is pre-stored at memory address 1A2D and »1" 
is pre-stored at memory address 1A2E; a third pair of 
memory addresses 1A2F and 1A30 in memory 200 correspond 
to feature option C, where "0" is pre-stored at memory 
address 1A2F and «1" is pre-stored at memory address 
1A30; and so on and so forth. This memory, map is made 
known to data center 125 beforehand and registered in 
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f ield 165 of the record pertaining to system 100 in 
database 140. 

Continuing the above example, assuming that the 
request for activating feature option C is granted, 
5 processor 130 in data center 125 changes the value of the 
bit in option number (f) corresponding to option C from 
the previous value ''0" to the new value ''1" to activate 
the option, as indicated at step 1103 in Fig. 11- 
Processor 130 at step 1106 generates electronic signature 

10 905 based on items (a) through (f) in the manner 

described before, where option number (f) incorporates 
the new bit value ^^1" corresponding to option C. 

Processor 13 0 then generates encrypted 
reconfiguration segment 910, Specifically, at step 1109 

15 processor 130 looks up from the aforementioned registered 
memory map the memory address corresponding to option C 
at which the new bit value "1" is pre- stored in memory 
200. In this instance, the memory address in question is 
1A30, At step 1112, processor 130 encrypts the memory 

20 address using the aforementioned second encryption 

algorithm, resulting in segment 910, Authorization code 
900 consisting of electronic signature 905 and encrypted 
reconfiguration segment 910 is fed to system 100 in a 
reconfiguration mode either by direct communications or a 

25 user entry. 

After receiving authorization code 900, unit 
210 at step 1203 in Fig. 12 decrypts segment 910 of 
authorization code 900 using the decryption algorithm 
inverse to the second encryption algorithm, thereby 

30 recovering the memory address 1A30. It should be noted 
that segment 910 starts from the (m+l)*"^ bit of received 
authorization code 900. Unit 210 at step 1206 retrieves 
from memory 200 the bit value ''1" corresponding to option 
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C at memoty address 1A30. Unit 210 at step 1209 
overwrites the current bit value "O" corresponding to 
option C in option nunO^er buffer 243 with the retrieved 
bit value thereby activating option C. Unit 210 at 

step 1212 gathers items (i) through (v) in the manner 
described before, and reads from option number buffer 243 
the modified option number (vi) . unit 210 at step 1215 
independently generates an electronic signature based on 
items (i) through (vi) in the manner described before. 
Unit 210 compares the resulting electronic signature with 
received electronic signature 905 of received 
authorization code 900, as indicated at step 1217. If 
they match, the authorization code is validated. 
Otherwise, an "Invalid Authorization Code" message would 
be displayed on computer 105, and generation of postage 
indicia would be halted as described before. 

Although the above processes involve only one 
feature option, i.e., option C, the processes similarly 
follow where two or more options need to changed at the 
same time. In that case, the memory addresses associated 
with the multiple options are concatenated and then 
encrypted using the second encryption algorithm, thereby 
generating encrypted reconfiguration segment 910. 
Accordingly, the length of segment 910 increases with the 
number of feature options to be changed. 

To keep segment 910 relatively short especially 
when multiple options need to be changed, in an 
alternative embodiment, segment 910 comprises an 
encrypted version of offset memory addresses, rather than 
full memory addresses, associated with the options. 
Referring briefly to Pig. lo, since the full memory 
address associated with each feature option 
illustratively starts with "lA," unit 210 can be 
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programmed to assume that the first two nibbles of the 
option memory addresses are always *^1A" • Thus, when 
option A needs to be changed, only the offset address 
*'2B" or **2C" needs to be communicated using segment 910 
for enabling or disabling the option; when option B needs 
to be changed, only the offset address ^2D" or «2E" needs 
to be communicated using segment 910 for enabling or 
disabling the option; when option C needs to be changed, 
only the offset address ^2F" or "30" needs to be 
communicated using segment 910 for enabling or disabling 
the option; and so on and so forth. 

In a second example where authorization code 
900 may be used, to save memory space in memory 200, the 
storage of "1" and "'0" values for each option as set 
forth in the memory map of Fig. 10 may be totally 
avoided. Since a change in each option involves changing 
the corresponding bit value in option number buffer 243 
to the opposite value, the encrypted reconfiguration 
segment 910 only needs to communicate the identities of 
the feature options which need to be changed- After 
learning the identities of such options based on segment 
910, unit 210 locate the bits in buffer 243 corresponding 
to the identified options and change their current bit 
values to the opposite values, respectively- 

Thus, in this second example, segment 910 is 
formed by encrypting codes identifying the respective 
options to be changed. Various designs of the codes are 
possible as long as each code uniquely identifies a 
respective option. For example, for the sake of 
convenience, the code identifying an option may represent 
the bit position corresponding to the option in buffer 
243. Thus, the code for option A may be '"01" 
representing the first bit position of buffer 243 



9966422A1_I.> 



10 



15 



20 



25 



30 



WO 99/66422 

PCT/US99/13488 

-26- 

corresponding to option A; the code for option B may be 
"02" representing the second bit position of buffer 243 
corresponding to option B; the code for option C may be 
"03" representing the third bit position of buffer 243 
corresponding to option C; and so on and so forth. 

Continuing the second example, let's say that 
feature options A and C need to be changed in this 
instance. Thus, system 100 is fed with authorization 
code 900 wherein electronic signature 905 is generated by 
processor 130 in data center 125 in the manner described 
before, and encrypted reconfiguration segment 910 
contains an encrypted version of the option codes «0103" 
in concatenation, where the option code "01" identifies 
option A and option code «03" identifies option C. 

As indicated at step 1303 in Fig. 13, unit 210 
first decrypts encrypted reconfiguration segment 910 of 
received authorization code 900, thereby recovering the 
option codes «0103". Based on a first option code »01" 
representing the first bit position in buffer 243 
corresponding to option A, which needs to be changed, 
unit 210 at step 1306 changes the current value of the 
first bit in buffer 243 to the opposite value. in 
addition, based on a second option code «03" which 
immediately follows «01" and which represents the third 
bit position in buffer 243 corresponding to option C, 
which needs to be changed, unit 210 at step 1309 changes 
the current value of the third bit in buffer 243 to the 
opposite value. Unit 210 at step 1312, similar to above- 
described step 1212, gathers items (i) through (v) , and 
reads from option number buffer 243 the modified option 
number (vi) . Unit 210 at step 1315, similar to above- 
described step 1215, independently generates an 
electronic signature based on items (i) through (vi) . 
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Unit 210 compares the resulting electronic signature with 
electronic signature 905 of received authorization code 
900, as indicated at step 1317 similar to above-described 
step 1217. If they match, the authorization- -code is 
5 validated. Otherwise, an ^'Invalid Authorization Code" 
message would be displayed on computer 105, and 
generation of postage indicia would be halted as 
described before. 

We have recognized that for loading new 

10 software on system 100 for a program upgrade or 
installation without changing feature options, 
authorization code 900 may consist of electronic 
signature 905 only, i.e., encrypted reconfiguration 
segment having a zero length. In this illustrative 

15 embodiment, an array of memory addresses in memory 200 

are allocated to pre-store a quantity of possible version 
numbers of software, e.g., postage franking program 300. 
As shown in Fig, 14, for example, version number is 
pre-stored at memory address 1B12; version number *'2" is 

20 pre-stored at memory address 1B13; version number *3 is 
pre-stored at memory address 1B14; and so on and so 
forth. A version number pointer (not shown) in memory 
200 is used to indicate the memo3ry location of the 
current software version number. Assuming that the 

25 current software version number is "2" , the pointer has a 
value of *^1B13" . 

The new software to be loaded onto system 100 
contains a header which in this instance includes the 
memory address at which the new software version number 

30 is pre-stored. Let's say the new version number is ''3" 
and the header thus contains the memory address *'1B14" , 
In granting the loading of new software onto 
system 100, processor 130 in data center 125 generates 



BNSDOCID: <WO 9966422A1J_> 



wo 99/66422 



PCT/US99/13488 



10 



-28- 

authorization code 900 consisting of only electronic 
signature 905 based on items (a) through (f ) in the 
manner described before, where item (d) has the new 
software version number. Electronic signature 905 is 
provided to system lOO for later verification. 

While the new software is being loaded onto 
system 100 via an online connection or a storage medium, 
unit 210 in PSD 110 at step 1503 in Fig. 15 changes the 
aforementioned version number pointer value to the memory 
address provided in the header of the new software, i.e., 
"1614". As a result, the pointer indicates a new memory 
location containing the software version number "3". 
Unit 210 at step 1506 gathers items (i) through (iii) , 
(v) and (vi) , and reads from memory address 1B14 
15 indicated by the pointer the new software version number 
«3" as item (iv) . Unit 210 at step 1509, similar to 
above -described step 1215, independently generates an 
electronic signature based on items (i) through (vi) . 
Unit 210 compares the resulting electronic signature with 
received electronic signature 905, as indicated at step 
1511 similar to above -described step 1217. if they 
match, the authorization code is validated. Otherwise, 
an "Invalid Authorization Code" message would be 
displayed on computer 105, and generation of postage 
25 indicia would be halted as described before. 

It should be noted at this point that the 
memory address communicated in the header of the new 
software may be an offset address, as well, e.g., «12", 
"13", "14" . . ., rather than its full address, e.g., 
30 «1B12", «1B13«, «1B14" ... as it is understood that the 
two most significant nibbles of the full address are 
always "IB" . 
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In addition, to save memory space in memory 
200, the storage of possible software version numbers as 
set forth in the memory map of Fig. 14 may be totally 
avoided, especially where the software version number 
5 always increments by one when new software is loaded onto 
system 100. In that case, a counter (not shown) in PSD 
110 may be used to keep track of the current software 
version number. Unit 210 may be programmed to be 
responsive to loading of new software onto system 100 to 

10 cause the counter to increment by one, thereby updating 
the software version number (iv) . After loading of the 
new software, unit 210 independently generates an 
electronic signature based on items (i) through (vi) . 
The generated electronic signature is compared with 

15 electronic signature 905 generated by data center 125 in 
part based on the new software version number in (d) . If 
they match, the loading of new software onto system 100 
is authorized. 

Because system 100 is configured as an open 

20 system, a user may freely load additional software onto 
computer 105, and add to system 100 hardware components, 
e.g., peripherals to computer 105. An advantage of 
adopting the open system configuration is that 
application software, other than postage generation 

25 program 3 00 described above, may be installed by the user 
on his/her own in computer 105 to interact with, say, 
program 300, to realize a more comprehensive mailing 
process. Such other application software may include, 
e.g., a billing program for charging postage back to 

30 different accounts, an envelope program for printing an 

address and a postage indicium on an envelope, an address 
cleansing program for correcting mailing addresses, etc. 
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■On the other hand, because system 100 is ^ 
configured as an open system, the integrity of the 
franking operation thereby may be jeopardized. For 
example, the user may load illegitimate software on 
computer 105 to interact with postage generation program 
300 to fraudulently print postage indicia. The user may 
also employ a printer of inferior quality to print 
substandard postage indicia, which are unreadable by an 
optical scanner. 

Thus, in accordance with an aspect of the 
invention, the franking-related hardware and software 
components in system 100 need to be pre-approved. To 
that end, the components by different vendors need to 
pass standardized tests to meet certain minimum 
requirements in, e.g., compatibility with a postage 
generation program in the franking system, print quality 
tamper resistance, efficiency, durability, etc., to 
become approved. The pre-approved components may then be 
marketed to users for installation in their franking 
systems, e.g., system loo. The manner in which the pre- 
approval requirement of the software and hardware 
components is enforced when they interact with the 
postage generation program is fully described below it 
suffices to know for now that each pre-approved software 
component includes a valid registration identifier which 
xs necessary for the software component to interact with 
the postage generation program. Similarly, for each pre- 
approved hardware component (e.g., a printer), its 
utility software (e.g., printer driver software) 
interfacing the hardware component with the postage 
generation program also includes a valid registration 
identifier, which is necessary for it to interact with 
the postage generation program. 
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■ In accordance with another aspect of the 
invention, a registration identifier is used to (1) 
identify a f ranking-related hardware or software 
component in a franking system configuration, (2) enforce 
5 the pre -approval requirement of such a hardware or 

software component. To achieve object (1), each pre- 
approved software component, and hardware component 
including its utility software is assigned a different 
registration identifier- A duplicate copy of the 

10 registration identifier is registered in memory 135 of 
data center 125. Thus, data center 125 includes in 
memory 135 a collection of registration identifiers 145 
which identify and are associated with different pre- 
approved components. The registration identifier 

15 collection is updated from time to time as additional 
software and hardware component pass the standardized 
tests and become approved. 

When each pre-approved component interacts with 
the postage generation program, the registration 

20 identifier in the component is compared with the 
registered registration identifier. If the two 
identifiers match or correspond, the component is 
verified to be pre-approved, thereby achieving object 
(2). 

25 A pre-approved envelope program having a 

registration identifier for verification of its pre- 
approval status will now be described. This envelope 
program may be purchased from a third-party vendor and 
installed by the user in computer 105. Because of its 

30 pre-approval status, the envelope program includes 

therein a registration identifier which identifies the 
program. Figs, 16A, 16B and 16C jointly illustrate the 
envelope program and interactions with postage generation 
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program 300 to print addresses and a postage indicium on 
an envelope. Instructed by such an envelope program, 
computer 105 elicits from the user the size of the 
envelope to be used for a mailpiece, as indicated at step 
1603 in Fig. 16A. Computer 105 at step 1606 displays an 
xmage of the envelope having the specified size on its 
screen. Computer 105 at step 1609 prompts the user to 
type originating mailing address and destination mailing 
address at desired locations on the displayed envelope, 
computer 105 at step 1612 prompts the user to indicate 
the desired location on the displayed envelope where a 
postage indicium is to be printed. Accordingly, the user 
utxlxzes a mouse device to indicate the desired location 
whxch, in this instance, is the upper right comer of the 
envelope according to the postal authority regulations. 

Computer 105 thereafter provides at step 1615 a 
draft option which enables the user to preview the 
envelope including a specimen indicium appearing at the 
user defined location before the envelope is printed. 
Thus, this option allows the user to check the format of 
the envelope and the relative placement of the address 
blocks, and postage indicium on the envelope before the 
user is committed thereto. 

After the user decides to proceed with the 
printing of the envelope at step 1617, computer 105 at 
step 1618 generates a first ensemble of control 
characters indicating the position of the originating 
mailing address, a second ensemble of control characters 
indicating the position of the destination mailing 
address, and a third ensemble of control characters 
indicating the position of the postage indicium on the 
envelope. At step 1621, computer 105 inserts the first 
second and third ensembles of control characters into the 
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data stream representative of the texts of the 
originating and destination mailing addresses, where the 
originating mailing address data is preceded by the first 
ensemble of control characters, and the destination 
5 mailing address data is preceded by the second ensemble 
of control characters- The resulting data stream is 
formatted pursuant to the protocol required by printer 
115. For example, if printer 115 is a printer 
manufactured by Hewlett-Packard Co., the data stream 

10 would be in accordance with the Hewlett-Packard printer 
control language (HP -PCD . 

The envelope program proceeds from step 1621 to 
step 1623 in Fig. 16B where postage generation program 
300 described before is invoked. Upon such an 

15 invocation, unit 210 in PSD 110 is interrupted, and 
recjuests computer 105 to pass thereto a copy of the 
registration identifier in the envelope program for 
examination, as indicated at step 1624. If computer 105 
fails to produce a copy of the registration identifier, 

20 unit 210 causes computer 105 to display thereon an 

^'Unauthorized Component" message, and prevents generation 
of any postage indicium, as indicated at step 1625. 

Otherwise, if computer 105 produces a copy of 
the registration identifier of the envelope program, unit 

25 210 at step 1626 compares the registration identifier 

from computer 105 with each of registration identifiers 
245 in PSD 110, which are associated with the pre- 
approved components which have been verified at least 
once. At step 1627, unit 210 determines whether a 

30 corresponding registration identifier is found amongst 

registration identifiers 245. Assuming that this is not 
the first time that the envelope program invokes program 
300, and the registration identifier of the envelope 
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program has been verified at least once, xmit 210 in this 
instance finds the corresponding registration identifier 
amongst registration identifiers 245, and proceeds to 
step 1642 in Pig. 16C described below. 

Otherwise, if the registration identifier of 
the envelope program has never been verified, unit 210 
fails to find a corresponding registration identifier 
amongst registration identifiers 245. Unit 210 then 
causes modem 120 to establish at step 1628 a 
communication connection with data center 125. Unit 210 
transmits at step 1629 the serial number of PSD lio and 
copy of the registration identifier of the envelope 
program to data center 125 where processor 130 at step 
1630 compares the received registration identifier with 
each of registration identifiers 145 in data center 125, 
which as mentioned before consist of the registration 
identifiers of all pre-approved components ever. 
Processor 130 at step 1631 determines whether a 
corresponding registration identifier is found amongst 
registration identifiers 145. 

Since in this instance, the envelope program is 
pre-approved, processor 130 locates a corresponding 
registration identifier amongst registration identifiers 
145. Processor 130 recognizes that the envelope program 
identified by the corresponding registration identifier 
is being run on system 100, which is identified by the 
received serial number of PSD no. Accordingly, 
processor 130 at step 1633 updates the record of system 
100 in database 140 to also include in field 165 thereof 
an indication that the envelope program is now part of 
the configuration of system 100. Processor 130 then at 
step 1636 returns the copy of the registration identifier 
of the envelope program to unit 210, with an 
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acknowledgment that such a registration identifier is 
valid, and then terminates the communication connection. 
In response, unit 210 at step 1639 in Fig. 16C adds the 
returned registration identifier to registration 
5 identifiers 245 in PSD 110 for subsequent verification, 
obviating the need to have processor 13 0 involved in the 
subsequent verification of such a registration 
identifier. Unit 210 then goes on to help generate a 
postage indicium, as indicated at step 1642, 

10 Otherwise, if processor 130 at step 1631 fails 

to locate a corresponding registration identifier amongst 
registration identifiers 145, processor 130 at step 1645 
in Fig. 16B returns only a negative acknowledgement that 
the received registration identifier is invalid, and 

15 terminates the communication connection. In response to 
the negative acknowledgement, unit 210 returns to step 
1625 . 

After step 1642 in Fig. 16C and execution of 
program 300, a print image of an appropriate postage 

20 indicium is prepared. At step 164 8 a printer driver 

program associated with printer 115 is invoked to print 
the originating and destination addresses, and postage 
indicium on an envelope fed to printer 115. As the 
printer driver program interacts with program 3 00 to 

25 receive the print image of the postage indicium resulting 
from program 300, printer 115 including the printer 
driver program needs to be pre-approved. As such, upon 
the invocation of the printer driver program, unit 210 in 
PSD 110 is interrupted, and requests computer 105 to pass 

30 thereto a copy of the registration identifier in the 

printer driver program for examination, as indicated at 
step 1651. If computer 105 fails to produce a copy of 
such a registration identifier, unit 210 denies the 
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printer driver program of the print image of the postage 
indicium, as indicated at step 1654. 

Otherwise, if computer 105 produces a copy of 
the registration identifier, unit 210 at step 1657 
compares the registration identifier from computer 105 
with each of registration identifiers 245 in PSD 110 
which, as mentioned before, are associated with the pre- 
approved components which have been verified at least 
once. Assuming that this is not the first time that the 
printer driver program is invoked to print a postage 
indicium, and the registration identifier of the printer 
driver program has been verified at least once, unit 210 
in this instance locates at step 1660 the corresponding 
registration identifier amongst registration identifiers 
245. The printer driver program is provided with the 
print image of the postage indicium, as indicated at step 
1663. At step 1667, printer 115 prints on the provided 
envelope the originating and destination addresses and 
the postage indicium at the user defined positions, based 
on the aforementioned data stream from computer 105 and 
the print image of the postage indicium. 

Otherwise, if at step 1660 unit 210 fails to 
locate the corresponding registration identifier, 
processor 130 would be involved in verifying the' 
registration identifier with the steps similar to steps 
1628 through 1631, and 1633, 1636, 1639 and 1645 
described before, which are not repeated here. 

It is apparent from the disclosure heretofore 
that database 140 in data center 125 has records of 
configurations of all of the franking systems served by 
center 125. In particular, field 165 of each record 
pertaining to a respective franking system includes 
configuration information concerning, among others, the 
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hardware configuration of the computer (i.e., item (b) ) , 
the enabled or disabled options (i.e,, item (f)), the 
version of the postage generation program (i.e., item 
(d) ) , and other hardware and software components 
5 interacting with the postage generation program in the 

franking system. Such information in database 140 can be 
used by a postal authority to effectively monitor and 
control the configurations of individual franking systems 
in the field. 

10 The foregoing merely illustrates the principles 

of the invention. It will thus be appreciated that those 
skilled in the art will be able to devise numerous other 
arrangements which embody the principles of the invention 
and are thus within its spirit and scope. 

15 For example, to further deter unauthorized 

reconfiguration of system 100, the encryption algorithms 
for generating authorization codes may be changed from 
time to time. The new algorithms may easily be 
downloaded from data center 125 during a software upgrade 

20 in computer 105, or during a TMS transaction with data 
center 12 5, The memory locations in the memory maps of 
Figs, 10 and 14 may be changed from time to time, as 
well . 

In addition, in the illustrative embodiment, 
25 the memory of computer 105 is distinguished from memory 
200 in PSD 110. However, the memory spaces in the two 
memories may be interchangeable in that some or all of 
the memory contents in memory 2 00 may be stored in the 
memory of computer 105, and vice versa. Similarly, some 
30 or all of the tasks performed by processing unit 210 in 
PSD 110 in the illustrative embodiment may be performed 
by computer 105, and vice versa. 
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Finally, the illustrative embodiment of the 
invention is disclosed herein in a form in which various 
franking and communications functions are performed by 
discrete functional blocks. These functional blocks may 
be implemented in various ways and combinations using 
logic circuitry and/or appropriately programmed 
processors, as will be known to those skilled in the art 
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Claims 

1. A franking system comprising: 

a memory for storing a software component for 
5 generating at least one postage indicium; 

a device for receiving an authorization code which 
is derived from at least information concerning the 
software component; and 

a processing unit for verifying at least part of the 
10 authorization code to detect any change in the software 
component before the at least one postage indicium is 
generated, 

2 • The system of claim 1 wherein the information 
15 represents a version number of the software component. 

3 • The system of claim 2 further comprising a counter 
for keeping track of the version number of the software 
component . 

20 

4 . The system of claim 2 wherein memory locations are 
allocated in the memory for storing a plurality of 
version numbers of the software component, respectively, 
the version number of the software component being 

25 indicated as stored at one of the memory locations. 

5 . The system of claim 1 wherein the information is 
obtained from running a predetermined algorithm on code 
of the software component . 

30 

6. The system of claim 5 wherein the information 
includes error checking information. 



BNSDOCID: <WO e966422Al_l_> 



wo 99/66422 



PCT/US99/13488 



-40 

7. 



The system of claim 6 wherein the error checking 
information includes cyclic redundancy check (CRC) bits. 

8 . The system of claim 6 wherein the error checking 
5 information includes a checksum. 

9. The system of claim 1 further comprising a computer 
where the memory is in, wherein the authorization code is 
also derived from an identity of the computer 

0 

10. The system of claim 9 wherein the identity of the 
computer includes a serial number thereof. 

11. The system of claim 1 further comprising a postal 
security device (PSD) where the processing unit is in 
wherein the authorization code is also derived from an 
identity of the PSD. 

12. The system of claim 11 wherein the identity of the 
PSD includes a serial number thereof. 

13. A franking system comprising: 
a memory for storing a software component for 

generating at least one postage indicium; 

a buffer for storing an authorization code which is 
derived from at least information concerning a 
configuration of the system; and 

a processing unit for verifying at least part of the 
authorization code before the at least one postage 
indicium is generated to detect any change in the 
configuration of the franking system. 
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14 . The system of claim 13 further comprising software 
components for providing feature options in the system 
which are selectively enabled, wherein the configuration 
concerns at least a setting of the feature options. 

5 

15. The system of claim 13 wherein the configuration 
concerns at least a version of the software component . 

16. The system of claim 13 further comprising a device 
10 for maintaining a postage fund for postage dispensation 

in the system, wherein the processing unit is within the 
device. 

17. The system of claim 16 wherein the authorization 
15 code is also derived from an identity of the device. 

18. The system of claim 17 wherein the identity of the 
device includes a serial number thereof . 

20 19. The system of claim 13 further comprising a computer 
where the memory is in, wherein the authorization code is 
also derived from an identity of the computer. 

20. The system of claim 19 wherein the identity of the 
25 computer includes a serial number thereof. 

21. A franking system for generation of postage indicia, 
the system having a plurality of feature options which 
may be enabled, the system comprising: 

3 0 a device for receiving an authorization code which 

is generated outside the system in response to a request 
for a selected setting of the feature options different 
from a current setting thereof, the authorization code 
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comprising a code segment and a data segment, the code 
segment being derived from at least information 
concerning the selected setting of the feature options, 
the data segment containing data concerning one or more 
of the feature options; 

a buffer for effecting the selected setting of the 
feature options based on the data; and 

a processing unit for verifying the code segment to 
determine whether generation of postage indicia based on 
the selected setting of the feature options is allowed. 

22. The system of claim 21 wherein the data includes the 
information concerning the setting of the feature 
options . 

23. The system of claim 21 wherein the data is 
encrypted- 

24. The system of claim 21 wherein the selected setting 
Of the feature options involves changing one or more of 
the feature options, with respect to the current setting 
Of the feature options, the length of the data segment 
bexng a function of a quantity of the one or more of the 
feature options. 

25. The system of claim 24 wherein the data indicates 
memory addresses which are associated with the one or 
more of the feature options, respectively, a value being 
stored at each memory address and the feature option 
associated with the memory address is changed to the 
value . 
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26. The system of claim 25 wherein the data includes 
offset memory addresses which are associated with the one 
or more of the feature options, respectively. 

5 27. The system of claim 24 wherein the data identifies 
the one or more of the feature options. 

28. A franking system comprising: 

a first memoiry for storing a first software 
10 component for realizing at least one postage indicium, a 
second software component being stored in the first 
memory for interacting with the first software component, 
the second software component including a selected 
identifier; 

15 a second memory for storing a plurality of 

identifiers; and 

a processing unit for determining whether one of the 
plurality of identifiers corresponds to the selected 
identifier in the second software component when the 

20 second software component interacts with the first 

software component, the at least one postage indicium 
being realized only when one of the plurality of 
identifiers corresponds to the selected identifier. 

25 29. The system of claim 28 further comprising a device 
for maintaining a postage fund for postage dispensation 
in the system, wherein the second memory is within the 
device. 

30 30. The system of claim 28 wherein the selected 

identifier identifies the second software component. 
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31 



The system of claim 28 further comprising at least 
one hardware component, wherein the second software 
component includes utility software for interfacing the 
first software component with the at least one hardware 

component . 



32 . A system for reconfiguring a franking apparatus for 
generating postage indicia, the franking apparatus 
including a device for maintaining a postage fund for 
postage dispensation in the franking apparatus, the 
system comprising: 

a memory for storing a value of an account for 
replenishing the postage fund in the franking apparatus; 

^ «-k ^ 



and 



a processor for reconfiguring the franking 
apparatus, a reconfiguration of the franking apparatus 
incurring a cost, the value of the account being adjusted 
to account for the cost, the value of the postage fund in 
the franking apparatus being unaffected by the 
reconfiguration . 

33. The system of claim 32 wherein the franking 
apparatus is remotely reconfigured through a 
communication connection. 

34. The system of claim 32 wherein the reconfiguration 
Of the franking apparatus concerns at least a setting of 
feature options in the franking apparatus. 

35. The system of claim 32 wherein the reconfiguration 
Of the franking apparatus concerns at least a version of 
a software component in the franking apparatus. 
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36. The system of claim 32 wherein the memory also 
stores information concerning a current configuration of 
the franking apparatus. 

5 37, The system of claim 36 wherein the processor causes 
transmission of a menu to the franking apparatus for the 
reconfiguration thereof, the menu being generated based 
on the information. 

10 38. A method for use in a franking system comprising: 

storing a software component for generating at least 
one postage indicium; 

receiving an authorization code which is derived 
from at least information concerning the software 
15 component ; and 

verifying at least part of the authorization code to 
detect any change in the software component before the at 
least one postage indicium is generated. 

20 39. The method of claim 38 wherein the information 

represents a version number of the software component. 

40. The method of claim 39 further comprising keeping 
track of the version number of the software component 

25 using a counter in the system. 

41. The method of claim 39 further comprising allocating 
memory locations to store a plurality of version numbers 
of the software component, respectively, the version 

30 number of the software component being indicated as 
stored at one of the memory locations. 
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42. The method Of claim 38 Wherein the information is 
obtained from running a predetermined algorithm on code 
of the software component. 

43. The method of claim 42 wherein the information 
includes error checking information. 

44 . The method of claim 43 wherein the error checking 
information includes CRC bits. 

45. The method of claim 43 wherein the error checking 
information includes a checksum. 

46. The method of claim 38 wherein the authorization 
code is also derived from an identity of a computer in 
the system. 

47. The method of claim 46 wherein the identity of the 
computer includes a serial number thereof. 

48. The method of claim 38 wherein the authorization 
code is also derived from an identity of a PSD in the 
system. 

49. The method of claim 38 wherein the identity of the 
PSD includes a serial number thereof. 



50. A method for use in a franking system comprising: 

storing a software component for generating at least 
30 one postage indicium; 

storing an authorization code which is derived from 
at least information concerning a configuration of the 
system; and 
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verifying at least part of the authorization code 
before the at least one postage indicium is generated to 
detect any change in the configuration of the franking 
system. 

5 

51. The method of claim 50 further comprising providing 
feature options in the system which are selectively 
enabled, wherein the configuration concerns at least a 
setting of the feature options - 

10 

52. The method of claim 50 wherein the configuration 
concerns at least a version of the software component . 

53. The method of claim 50 wherein the authorization 
15 code is also derived from an identity of a device for 

maintaining a postage fund for postage dispensation in 
the system. 

54. The method of claim 53 wherein the identity of the 
20 device includes a serial number thereof. 

55. The method of claim 50 wherein the authorization 
code is also derived from an identity of a computer. 

25 56. The method of claim 55 wherein the identity of the 
computer includes a serial number thereof . 

57. A method for use in a franking system for generation 
of postage indicia, the system having a plurality of 
30 feature options which may be enabled, the method 
comprising: 

receiving an authorization code which is generated 
outside the system in response to a request for a 
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) 



selected setting of the feature options different from a 
current setting thereof, the authorization code 
comprising a code segment and a data segment, the code 
segment being derived from at least information 
concerning the selected setting of the feature options, 
the data segment containing data concerning one or more 
of the feature options; 

effecting the selected setting of the feature 
options based on the data; and 

verifying the code segment to determine whether 
generation of postage indicia based on the selected 
setting of the feature options is allowed. 

58. The method of claim 57 wherein the data includes the 
information concerning the setting of the feature 
options . 

59. The method of claim 57 wherein the data is 
encrypted . 

60. The method of claim 57 wherein the selected setting 
of the feature options involves changing one or more of 
the feature options, with respect to the current setting 
of the feature options, the length of the data segment 
being a function of a quantity of the one or more of the 
feature options. 

61. The method of claim 60 wherein the data indicates 
memory addresses which are associated with the one or 
more of the feature options, respectively, a value being 
stored at each memory address and the feature option 
associated with the memory address is changed to the 
value . 
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62, The method of claim 61 wherein the data includes 
offset memory addresses which are associated with the one 
or more of the feature options, respectively. 

5 63 . The method of claim 57 wherein the data identifies 
the one or more of the feature options . 

64. A method for use in a franking system comprising: 
storing a first software component for realizing at 

10 least one postage indicium; 

storing a second software component for interacting 
with the first software component, the second software 
component including a selected identifier; 
storing a plurality of identifiers; 

15 determining whether one of the plurality of 

identifiers corresponds to the selected identifier in the 
second software component when the second software 
component interacts with the first software component; 
and 

2 0 realizing the at least one postage indicium when one 

of the plurality of identifiers corresponds to the 
selected identifier . 

65. The method of claim 64 wherein the selected key 
25 identifies the second software component. 

66. The method of claim 64 wherein the second software 
component includes utility software for interfacing the 
first software component with at least one hardware 

30 component in the system. 
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67. 



A method for reconfiguring a franking apparatus for 
generating postage indicia, the franking apparatus 
xncluding a device for maintaining a postage fund for 
postage dispensation in the franking apparatus, the 
5 method comprising: 

storing a value of an account for replenishing the 
postage fund in the franking apparatus; 

reconfiguring the franking apparatus, a 
reconfiguration of the franking apparatus incurring a 
10 cost; and 

adjusting the value of the account to account for 
the cost, the value of the postage fund in the franking 
apparatus being unaffected by the reconfiguration 



68. The method of claim 67 wherein the franking 
apparatus is remotely reconfigured through a 
communication connection. 



20 



25 



30 



69. The method of claim 67 wherein the reconfiguration 
of the franking apparatus concerns at least a setting of 
feature options in the franking apparatus. 

70. The method of claim 67 wherein the reconfiguration 
of the franking apparatus concerns at least a version of 
a software component in the franking apparatus. 

71- The method of claim 67 further comprising storing 
information concerning a current configuration of the 
franking apparatus. 

72. The method of claim 71 further comprising 
transmitting a menu to the franking apparatus for the 
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reconf iguration thereof/ the menu being generated based 
on the information. 
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(57) Abstract 

In a franking system a postal security device (PSD) tracks a postage fund for dispensing postal indicia and enforce the configuration of 
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(57) Abstract 
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27) wherein funds, applicaticm of those funds, the replenish- 
ment of those funds and the auditing of those funds are secure 
against attempts at fraud. The system (22, 24. 25, 26, 27) may 
either be a Closed System (CS) wherein the proof-of-postage 
printing means (22) are housed within the system computa- 
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boundary. Further, the system (22, 24, 25, 26, 27) may be 
an Open System (OS) wherein the proof-of-postage printing 
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PCTAJS97/17065 

Proof of postage digital franking 
Technical field 

The invention relates generally to postage meters, also called franking machines, and relates 
more particularly to electronic postage meters printing digital postal indicia. 

Background art 

5 Postage meters arc well known. The present assignee has been designing and manufacturing 
postage meters for many, many decades. After these decades of experience, postage meters 
are extremely reliable and cost has been reduced to a minimum. A typical postage meter prints 
its postage by means of an intaglio-type metal or strong plastic printing plate or die plate, 
using specified fluorescent ink^ 

Most postage meter customers never have reason to call for repair of thdr postage meters. 
Postage meters are simple to operate and there is little to go wrong. They have been accepted 
by neariy all the post offices of the world. Postage meters benefit post offices by reducing the 
need for retail sales of postage stamps, and by making it easy for postal patrons to adjust to 
changes in postage rates. Present-day postage meters are able to accommodate mail pieces of 
varying thickness, and are able to print their indicia even if the surface of the mail piece is 
uneven. 

Nothwithstanding the reliability, low cost, and ease of use of present-day postage meter 
designs, it has been suggested by some postal authorities that all postage meters presently in 
use be removed from service and that postage be printed instead by common computer 
20 printers using ordinary ink. This means that anyone with an ordinary computer printer can 
readily generate a plausible-looking postal indicium at any time and in any desired quantity. 
The only possible approach for reducing fraud, when ordinary computer printers are used, is 
to incorporate cryptographically secure information into the postal indicium, and to read and 
verify that information on each and every mail piece. The present invention is directed to 
25 system configurations in which such cryptographically secure information is generated for use 

1 
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in priming such indicia. To be commerciany viable, such system configurations must not only 
satisfy the requiranems of the postal authorities, but must also provide user function more or 
less approximating that of presoit-day postage meters. 

Disclosure of invention 

5 A proof-of-postage generating system wherein funds, appUcation of those funds, the 

replenishraem of those funds and the auditing of those funds are secure against attempts at 
fiaud. The system may either be a Closed System (CS) wherein the proof-of postage priming 
means are housed within the system computational means or within a ciyptographically secure 
boundary. Further, the system my be an Open System (OS) wherein the pix>of-of postiige 
1 0 printing means are external to the system computational means. 

Brief description of the drav^ng 
The invention will be described with respect to a drawing in several figures, of which: 

Fig. 1 is a fimctional block diagram of a first embodiment of a closed-system type of postage 
meto; 

15 Fig. 2 is a ainctional block diagram of a second embodiment of a closed-system type of 
postage meter; 

Fig. 3 is a fimctional block diagram of a third embodimem of a closed-system type of postiige 
meter; 

Fig. 4 is a fimctional block diagram of a first embodiment of an open-system type of postage 
20 m^er; 

Fig. 5 is a fimctional block diagram of a second onbodiment of an open-system type of 
postage meter. 
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Fig. 6A is a functional block diagram of a third embodiment of an opoi-system type of postage _ 
meter, with an internally mounted postal security device (PSD); 

Fig. 6B is a functional block diagram of a third embodiment of an open-system type of postage 
meter, with an externally mounted PSD; 

5 Fig. 7 A is a functional block diagram of a fourth embodiment of an open-system type of 
postage meter, with an internally mounted postal security device (PSD); 

Fig. 7B is a functional block di^^ram of a fourth embodiment of an open-system type of 
postage meter, with an externally mounted PSD; 

Fig. 8 is a functional block diagram of a fifth embodiment of an open-system type of postage 
10 meter; 

Fig. 9 A is a functional block diagram of a first embodiment of a hybrid of a closed-system and 
open-system type of postage meter; and 

Fig. 9B is a functional block diagram of a second embodiment of a hybrid of a closed-system 
and open-system type of postage meter. 

15 Modes for carrying out the invention 

A proof-of-postage generating system is described wherein funds, application of those funds, 
the replenishment of those funds and the auditing of those funds are secure against attempts at 
fi-aud. The system may either be a Closed System (CS) wherein the proof-of postage printing 
means are housed within the system computational means or within a cryptographically secure 
20 boundary. Alternatively, the system may be an Open System (OS) wherein the proof-of 
postage printing means are external to the system computational means. 

As will be described in more detail below, what is provided is a Postal Security Device (PSD) 

3 
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Within which is housed physically secure, as weU cryptographically secure fimds and associated _ 
accounting registers, said PSD itself being utilized within a dynamic system whidi provides for 
the interchange of data between a funds provider source, a computational funds tracking and 
maintenance source and a printing source. Each embodiment described below, whether an 
Open System (OS) or Closed System (CS). provides aU necessary security against fraudulem 
attacks against the system. This invention is intended to provide a customer with a nun*er of 
alternative approaches to optimize the customer's use, tracking, and replenishmg of the 
customer's fianking fimds within the environment surrounding the dispensi^ 
for proof-of-paymem for the services required. In all cases, the proof-of-postage (postal 
indicium) is digitally generated data. Said digital data is represented as an image (generally, a 
printed image) on the mailpiece requiring said proof-of-postage. Said proof-of postage may be 
represented as a graphical image, human readable information, various bar codes (both 1- 
dimensional or 2-dimensionaI codes). OCR characters, etc., or any combination thereof 

The Postal Security Device (PSD) will support methods of applying postage in Ueu of the 
15 present-day approach, which is typically a sdf-comained electromechanical or mechanical 

postage meter which imprints indicia on maUpieces. Described below are a number of system 
integration designs wherein said PSD is a small element of both laige and small systems 
capable of supporting the needs of both hu^ge and small businesses, as well as the private 



10 



citizen. 



20 



The first embodiments set forth herein relate to Closed Systems (CS) which may take the fonn 
of three diflFerent embodiments, dependent upon the needs of the customer. This CS approach 
provides a printing means within the franking device or within a cryptographically secure 
boundary as executed by a vendor. Said franking device is dedicated to the imprinting of 
proof-of-postage (said proof-of-postage will take the forai and aesthetics required by the 
25 regulating body) and other related information (at times referred to as audit information and 
reports). In all cases and embodiments, the cryptographic content of the printed indicia image 
contains information unique to that transaction and specific PSD. 

In the first embodiment of this closed system arrangement, the Postal Security Device (PSD) 



4 



wo 98/13790 



PCTAJS97/17065 



22 is attached as a ""dongle" (an adaptive interfacing device which connects to and uses a 
communications port while still allowing the port to be used by other devices) to the self 
contained franking device 24 (see Figure 1). The cryptographic data content between the PSD 
22 and franking device 24 is verified for authenticity (e.g. signature certificate) Miiereupon the 
5 printing mechanism 25 within the firanking device 24 delivers the appropriate image to the 
mailpiece, letter or invoice. Crediting new fijnds to the PSD is managed by an interface 
(modem) 21 adapted to the franking device 24 which communicates cryptographically with a 
host Data Center 20 which provide funds for the PSD through the franking device 24. The 
communications between the franking device 24 and Data Center 20 or between the fi-anking 

10 device 24 and PSD 22 are ciyptogrq^hically encoded with all transactions being verified by the 
crypto-code structure and certificate authorization schema as required by the regulating body. 
Said PSD 22 may be moved fi'om one franking device 24 to another so long as each franking 
device 24 is authorized/keyed to function with said PSD 22. In all cases the PSD 22 has the 
ability to account for funds and history as related to the fi^anking device 24 to ^^ch it has 

IS been attached. 

Those skilled in the art will appreciate that the communications chaimel 3 1 between the 
franking device 24 and the data center 20 need not be secure. The chaimel 3 1 may be a dialed 
voice telephone call over the public switched telephone network, with mod^ns at each end of 
the line. Alternatively, the channel 3 1 may be an ISDN telephone call, or may be a TCP/IP 
20 session placed over any suitable physical medium and underlying protocol, such as fi'ame relay. 
The communications between the franking device 24 and data center 20 may desirably be 
carried out as set forth in U.S. Pat. No. 5,237,506, assigned to the same assignee as the 
assignee of the present invention. 

Those skilled in the art will also appreciate that the postal security device 22 contains an 
25 accounting register indicative of postage value, and contains cryptographic means, said 
cryptographic means disposed for secure communications with a remote host 20 for 
adjustment of the contents of said accounting register, said cryptographic means further 
disposed for generation of data to be included in said postal indicia, said postal security device 
22 disposed to account within said accounting register for postage value provided in said 
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postal indida and to fail to generate such data when said accounting regist^ satisfies a 
predetennined condition. In a typical arrangement, the accounting register of the PSD 22 is a 
descending register, and postal indicia are printed only if the vake stored in the descending 
register is greater than the amount of postage value desired to be printed. In this way the 
postage printing system employing the PSD 22 mimics the well-known behavior of a present- 
day postage meter in which the meter refuses to print more postage if it is empty or almost 
empty. 

In the second embodiment of this closed system employment, as shown m Fig. 2, the Postal 

Security Device (PSD) 22 is imenial to the franking de^ce 24 and is disposed to 
secunty requirements of the fir« embodiment. Crediting new funds to the PSD is managed by 
an mtetfece (modem) 21 adapted to the franking device 24 which communicates 
oyptographically with a host Dau Center 20 which provide fimds for the PSD 22 through the 

fhinking device 24. The communications between the franking device 24 and D^^ 
or between the frankmg device 24 and PSD 22 are cryptogr^hically encoded with dl 
transactions being verified by the oypto-code structure and certificate authorization schema as 
required by the regulating body. The communications between the flanking device 24 and data 
center 20 may desirably be carried out as set forth in U.S. Pat. No. 5.237,506. assigned to the 
same assignee as the assignee of the present invention. Said PSD 22 is not accessible for 
removal from the frankmg device 24. Attempts to do so or to modify PSD contents wiU be 
met with its fail safe abihty to secure itself and its internal registers as required by the 
regulatory authority. 

In the third embodiment of this closed system employment, the Postal Security Device (PSD) 
22 IS interfaced to a personal computer 26 as is shown in Figure 3. 

The PSD 22 is credited with fimds via communications (typically modem) between the 
personal computer (PC) 26 and associated Data Center 20. The communications between the 
PC 26 and Data Center 20 foUow the cryptographic security niles and signature verifications 
required by the regulatory body. The communications between the PC 26 and data center 20 
may desirably be carried out as set forth b U.S. Pat. No. 5.237.506. assigned to the same 
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assignee as the assignee of the present invention. Further^ the secure communications between 

the PSD 22 and the remote franking device 24 are likewise assured. 

The PC 26 is programmed so that it can receive a request from a user for the printing of 
postage, and forward information about the request to the PSD 22. The PSD 22 provides 
5 cryptographically secured data which will be contained in the postal indicium, and this data is 
provided eventually to a printer for printing. 

It should be appreciated that the particular cryptographic standards employed in generating the 
data for the indicium are specified by the postal authorities, and thus that the particular 
cryptographic standard employed is not critical to the invention. Likewise, the form of 
10 indicium (e.g. 1-D or 2-D bar code and other aspects of layout) are also specified by the postal 
authorities and thus are not critical to the invention. 

The PSD device 22, evident in the first and third embodiments (Figs. 1 and 3), present the 
opportunity for physically relocating said PSD 22 from a system configuration evidmced in 
Figure 1 to a different system configuration evidenced in Figure 3, or vice versa. Said PSD 22 
1 S has the capability of optionally containing pertinent information regarding the system 

adaptation to which it is incorporated, including such parametric data as host serial numbers, 
register readings, and the like. The PSD 22 noted in Figure 3 could be located in or on the 
Franking Device 24, to wit, the PC 26 would communicate to the Franking Machine's PSD 
via any PC compatible communications link (e.g. RS232, parallel, etc.). 

20 The Open System (OS) arrangement, which may take the form of five different embodiments, 
will now be described. The selection of the particular embodiment is determined by the needs 
of the customer. This employment provides a printing means 23 outside a franking device. 
Said printing means 23 is any commercially available printing means capable of reproducing 
the franked image content, makeup and resolution in accordance with regulatory requirements 

25 addressing said franked image content, makeup and resolution. In all cases and embodiments, 
the cryptograpfiic content of the printed indicia image contains information unique to that 
transaction and specific PSD. In the first embodiment of this open system arrangement, as 
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Shown in Fig. 4. the PSD 22 is interfaced to a Personal Computer (PC) 26 communication 
port. Also interfaced to the same PC 26 is a printer 23 capable of reproducing the franked 
image content, makeup and resolution in accordance with regulatory requirements. 

Crediting new funds to the PSD 22 is managed by an interfece (modem) 21 adapted to the PC 
26 which communicates cryptogiaphically with a host Data Center 20 which provide funds 
for the PSD 22 through the PC 26. The communications between the Data Center 20 and PSD 
22 are cryptographicaUy encoded with all transactions bring verified by the ciyptos»de 

stnicture and certificate authorization schema as r«,uired by the regulating bo^^ The 
communications between the PSD 22 and data center 20 may desirably be carried out as set 
forth in US. Pat. No. 5^37.506, assigned to the same assignee as the assignee of the present 
mvemion. Said PSD may be moved from one PC 26 to another. Further, said PSD 22 may be 
relocated to a Closed System (CS) embodiment such as that set forth in Figs. 1 and 3. 

In the second embodiment of an Open System arrangement, the PSD 22 is imemally interfaced 
to a Personal Computer (PC) 26 as is shown in Figure 5. Also interfaced to the same PC 26 is 
a printer 23 capable of reproducing the franked image content, makeup and resolution in 
accordance with regulatory requiremoits. 

This embodimem of the Postal Security Device (PSD) 22 is subjected to the same security 
requirements as are applicable in the first embodiment. Crediting new fi,nds to the PSD 22 is 
managed by interface (modem) 21 adapted to the PC 26 which communicates 
ciyptographically with a host Data Center 20 which provide fimds for the PSD 22 through the 
PC 26. The communications between the Data Center 20 and PSD 22 are cryptographicafly 
encoded with all transactions being verified by the crypto-code structure and certificate 
authorization schema as required by the regulating body. The communications between the 
PSD 22 and data center 20 may desirably be carried out as set forth in U.S. Pat. No. 
5.237.506, assigned to the same assignee as the assignee of the present invention. 

In the third embodiment of an Open System arrangement, the PSD 22 is internally mourned 
(Figure 6A) or externally interfaced (Figure 6B) to a networked host 27. Networked to the 
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host 27 are one or more Personal Computers (PC) 26. The printing device 23 is mterfaced to 
the host 27, as might be the case in a centralized mailing application. The printer 23 is enable 
of reproducing the franked image content, makeup and resolution in accordance with 
regulatory requirraients. 

5 This embodiment of the Postal Security Device (PSD) 22 is subjected to the same security 

requirements as in the other embodiments. Crediting new funds to the PSD 22 is managed by 
interface (modem) 21 adapted to the Networked host which communicates cryptographically 
with a host Data Center 20 which provide fimds for the PSD 22 through the Networked host 
27. The communications between the Data Cento- 20 and PSD 22 are ctyptographically 
10 encoded with all transactions being verified by the crypto-code structure and c^ficate 

authorization schema as required by the regulating body. The communications between the 
PSD 22 and data center 20 may desirably be carried out as set forth in U.S. Pat. No. 
5,237,506, assigned to the same assignee as the assignee of the present invention. 

The Networked host 27 provides its interfaced printer 23 with the indicia representing 
1 5 addressing and postage value information requested by the local PCs 26 in accordance with 
indicia context requirements of the regulatory body. The PSD 22 depicted in Fig. 6B may be 
moved to any other Open or Closed system application interfacing the PSD 22 in a like 
manner. 

In the fourth embodiment of an Open System arrangement, the printing devices 23 are 
20 interfaced to local Personal Computers 26, rather than to a Networked host 27. Figs. 7A and 
7B present the described configuration. Fig. 7A defines the Networiced host 27 with its PSD 
22 internally mounted while Figure 7B shows the PSD 22 externally interfaced to the 
Networked host 27. However, the PSD 22 depicted in Fig. 7B may be moved to any other 
Open or Closed system application interfacing the PSD 22 in a like manner. 

25 In a fifth embodiment of an Open System arrangment, the printing devices 23 are interfaced to 
either local Personal Computers 26 or a master/host workstation 27 as shown in Fig. 8. A 
single PSD 22 can support one or more indicium application sources from a master 
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workstation 27. This embodiment is typical of a decentralized office environment where 
indicium appUcations occur at different woikstetions 26. However, only one workstation 27 in 
the local network loop 33 need have the PSD 22. All work stations 26 have the ability to 
produce secure indicia. 

5 This embodhnent of the Postal Security Device (PSD) 22 is subjected to the same security 

requirements as in the previously described embodiments. Crediting new funds to the PSD 22 
is managed by interface (modem) 21 adapted to the woricstation 27 to which the PSD 22 is 
attached which communicates cryptographically with a remote host Data Center 20 which, in 
turn, provides funds for the PSD through the woricstation 27 to which the PSD 22 is attached 

10 The woricstation 27 to which the PSD 22 is attached provides its interfaced printer 23 and/or 
one or more of its interfaced woricstations 26 with the indicia representing addressing and 
postage value information requested by the associated woricstation 23 in accordance whh 
indicia context requirements of the regulatory body. The PSD 22 depicted in Fig. 8 may be 
moved to any other Open or Closed system application inteifedng the PSD 22 in a like 

IS manner. 

Finally, hybrid systems may be employed in which a Closed System (CS) franking device is 
interfaced to an Open System (OS) Personal Computer-based system which may take the fonn 
of two different embodiments, dependent upon the needs of the customer, as disclosed in 
Figs 9A and 9B. Such a system provides the abiUty for a CS, typified in Fig. 2 whose PSD 
may be internal to the franking device as disclosed in Fig. 2, or external to the franking device, 
as disclosed in Fig. 1 The Fig. 9A embodiment depicts said franking device mterfaced to an 
external Personal Computer (PC) 26 which requests and receives proof of postage data from 
the CS franking device 24 for appUcation to a mailpiece being processed through its (the PCs) 
own dedicated prints* 23. 

25 Alternately as shown in Fig. 9B. said PC 24 may be networiced to one or more Personal 
Computers 26 with each of those PCs 26 accessing one or more printers 23. Said printing 
means relates to any commercially available priming means capable of reproducing the franked 
image content, makeup and resohition in accordance with regulatory requirements addressfaig 
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said franked image content, makeup and resolution. In each embodiments, the cryptographic 
content of the printed indicia image contains information unique to that transaction and 
specific PSD. 

In summary, the following have been disclosed: 

5 'The PSD 22 via the "dongle" or other adaptive interfacing device wtiich connects to and uses 
a communications port while still allowing the port to be used by other devices interface may 
be connected to a device not previously predisposed to accepting installation of said PSD 22. 

•The PSD 22 can be credited with new or additional funds via a modem 21 within or external 
to the PSDs host. 

10 ^The PSD 22 can be credited with new or additional funds via a communications port (e.g. 

RS232) on the PSDs host. The host, in turn, utilizes its internal or external modem to contact 
a remote central Data Cent^ for downloading of funds to be credited to the PSD 22. 

•The PSD 22 may be removed from its host and connected to the parallel or serial port of a 
PC 26 with modem communications ability wherein said PC would communicate with a 
15 remote central Data Crater to download funds into the PSD. The PSD would then be returned 
to its operational host. 

•The PSD may be connected directly to a PC wherein: 

- A postage metering device obtains a postmark (indicium) data from said PC, 
operating in a Closed System (CS) environment. 

20 - A PC software can obtain a postmark (indicium) data from the same PSD in either 

an OS or CS. 

- A PC can be networked and share a single PSD with associated PCs/workstations in 

11 



BNSDCXtD: <WO 9813790A1J_> 



wo 98/137SN) 



PCT/US97/17065 



an OS. 



•While a PSD is connected to a postage metering device it is able to: 

- Output postmarks (indicium) data to a PC connected to the postage metering 
device's communication port (e.g. RS232) when operating in an Open System (OS) 
franking environment. 

- The postage metering device configured as a Personal Computer (PC) is capable of 
being networked to one or more PCs to support mukiple OS franking workstations. 

While the invention has been described with respect to particular embodiments and figures, it 
should be understood that the invention is not Umited to those particular embodiments and 
figures. Indeed, those skiUed in the art will readily identify numerous obvious variations of the 
invention, all of which are within the invention, as defined by the claims that foUow. 
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Claims 

1 . A system for printing postal indicia, the system comprising: 

a postage meter containing, within a secure housing, a printing mechanism and a postal 
security device, said postal security device containing an accounting register indicative of 
S postage value, and containing cryptographic means, said cryptographic means disposed for 
secure communications with a remote host for adjustmmt of the contents of said accounting 
registo", said cryptographic means further disposed for generation of data to be included in 
said postal indicia, said postal security device disposed to account within said accounting 
regist^ for postage value provided in said postal indicia and to fail to generate such data when 
10 said accounting register satisfies a predetermined condition; 

said postage meter communicatively coupled with a plurality of personal computers, each 
personal conqnjter connected with a corresponding printer; 

each of said personal computers programmed to receive requests from respective users for the 
printing of postal indicia, and to receive generated data from the postal security device 
1 5 responsive to the requests, and to print postal indicia within which the generated data is 
provided. 

2. The system of claim 1 wherein the postage meter and personal computers are 
conmiunicatively coupled via a local-area network. 

3. The system of claim 2 wherein the postage meter and personal computers are 
20 communicatively coupled via ethemet. 

4. A system for printing postal indicia, the system comprising: 

a postage meter containing, within a secure housing, a printing mechanism and a first 
cryptographic means; 
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said posuge meter commuiucatively coupled >vith a postal security device, said postal security 
device containing an accounting register indicative of postage value, and containing second 
cryptographic means, said second cnrtogmphic means disposed for secure comn^unications 
with a remote host for adjustment of the comems of said accounting register, said second 
cryptographic means further diiqwsed for generation of data to be communicated in 
cnT,tographically secure communication with the finrt cryptographic means for inclusion in 
saKl postal indicia, said postal security device disposed to accoum within said accounting 
register for postage value provided in said postal indicia and to fail to generate such data when 
said accounting r^er satisfies a predetermined condition; 

said postage meter communicatively coupled with a plurality of personal computers, each 
personal computer connected with a corresponding primer; 



each of said personal computers programmed to receive requests from respective users for the 
printing of postal indicia, and to receive generated data from the postal security device 
responsive to the requests, and to print postal indicia within which the generated data is 
1 5 provided. 

5. The system of claim 4 wherein the postage meter and personal computers are 
communicatively coupled via a local-area network. 

6 The system of claim 5 wherein the postage meter and personal computers are 
communicatively coupled via ethemet. 



7. A system for priming postal indicia, the system comprising: 

a postage meter containing, within a secure housing, a printing mechanism and a postal 
security device, said postal security device containing an accounting register indicative of 
postage value, and containmg cryptographic means, said cryptographic means disposed for 
secure communications with a remote host for adjustmem of the contents of said accounting 
register, said cryptographic means further disposed for generation of daU to be included in 
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said postal indicia, said postal security device disposed to account within said accounting 
raster for postage value provided in said postal indicia and to fail to generate such data when 
said accounting register satisfies a predetermined condition; 

said postage meter communicatively coupled with a personal computer, said personal 
5 computer connected with a corresponding printer, 

said personal computer programmed to receive requests from a respective user for the printing 
of postal indicia, and to receive generated data from the postal security device responsive to 
the requests, and to print postal indicia within which the generated data is provided. 

8. The system of claim 7 wherein the postage meter and personal computer are 
1 0 communicatively coupled via a local-area network. 

9. The system of claim 8 wherein the postage meter and personal computers are 
communicatively coupled via ethemet. 

1 0. A system for printing postal indicia, the system comprising: 

a postage meter containing, within a secure housing, a printing mechanism and a first 
1 5 cryptographic means; 

said postage meter communicatively coupled with a postal security device, said postal security 
device containing an accounting register indicative of postage value, and containing second 
cryptographic means, said second cryptographic means disposed for secure communications 
with a remote host for adjustment of the contents of said accounting register, said second 
20 cryptographic means further disposed for generation of data to be communicated in 

cryptographically secure communication with the first cryptographic means for inclusion in 
said postal indicia, said postal security device disposed to account within said accounting 
register for postage value provided in said postal indicia and to fail to generate such data when 
said accounting register satisfies a predetermined condition; 
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said postage meter communicatively coupled with a personal computer, said personal 
compute- connected with a corresponding prints. 

said personal computer programmed to receive requests from a respective user for the priming 
of postal indicia, and to receive generated data from the postal security device responsive to 
the requests, and to print postal indicia within which the generated data is provided. 

11 . The system of claim 1 0 wherein the postage meter and personal computer are 
communicatively coupled via a local-area network. 

12. The system of claim 1 1 wherein the postage meter and personal computer are 
communicativdy coupled via ethemet. 

13. A syston for printing postal indicia, the system comprising: 

a first personal computer, said first personal computer connected with a respective printer, 

said first personal computer communicatively coupled with a postal security device, said postal 
security device containing an accounting register indicative of postage vahie, and containing a 
cryptographic means, said cryptographic means disposed for secure communications with a 
remote host for adjustment of the contents of said accounting register, said ciyptographic 
means fiirther disposed for generation of data to be included in said postal indicia, said postal 
security device disposed to account within said accounting register for postage value provided 
in said postal indicia and to fail to generate such data when said accounting register satisfies a 
predetermined condition; 

said first personal computer communicatively coupled with a phirality of second personal 
computers, said second personal computers each connected with a corresponding printer; 

each of said second personal computers programmed to receive requests from a respective 
user for the printing of postal indicia, and to receive generated data from the postal security 
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device responsive to the requests, and to print postal indicia within which the generated data is 
provided. 

14. The system of claim 1 3 wherein the first personal computer and second personal 
conq>uters are communicatively coupled via a local-area network. 

5 1 5. The system of claim 14 wherein the first personal computer and second personal 
computers are communicatively coupled via ethemet. 

16. A system for printing postal indicia, the system comprising: 
a first personal computer; 

said first personal computer communicatively coupled with a postal security device, said postal 
10 security device containing an accounting register indicative of postage value, and containing a 
cryptogr^hic means, said cryptographic means disposed for secure communications with a 
remote host for adjustment of the contents of said accounting register, said oyptographic 
means fiirther disposed for generation of data to be included in said postal indicia, said postal 
security device disposed to account within said accounting register for postage value provided 
1 S in said postal indicia and to fail to generate such data when said accounting register satisfies a 
predetermined condition; 

said first personal conq^uter communicatively coupled with a plurality of second personal 
computers, said second personal computers each connected with a corresponding printer, 

each of said second personal computers programmed to receive requests fi'om a respective 
20 user for the printing of postal indicia, and to receive generated data fi'om the postal security 

device responsive to the requests, and to print postal indicia within v^ch the generated data is 
provided. 

17. The system of claim 16 wherein the first personal computer and second personal 
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computers are conununicatively coupled via a local-area n^work. 

1 8. The system of claim 1 7 wherein the first personal computer and second personal 
computers are communicatively coupled via Fernet. 

19. A system for printing postal indicia, the system comprising: 

a first personal computer, said first personal computer connected with a first printer; 

said first personal computer communicatively coupled with a postal security device, said postal 
security device containing an accounting register indicative of postage value, and containing a 
cryptographic means, said cryptographic means disposed for secure communications with a 
remote host for adjustment of the contents of said accounting register, said cryptographic 
means fiirther disposed for generation of data to be inchided in said postal indicia, said postal 
security device disposed to account within said accounting register for postage value provided 
in said postal indicia and to fail to generate such data when said accounting register satisfies a 
pred^^mined condition; 

said first personal computer communicatively coupled with a pluralHy of second personal 
computes; 

each of said second personal computers programmed to receive requests from a respective 
user for the printing of postal indicia and to communicate said requests to said first personal 
computer, said first personal computer programmed to respond to such requests by receiving 
generated data from the postal security device responsive to the requests, and to print on said 
first printer postal indicia within which the generated data is provided. 

20. The system of claim 1 9 wherein the first personal computer and second personal 
computers are communicatively coupled via a local-area network. 

21 . The system of claim 20 wherein the first personal computer and second personal 
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